CIO Insights and Analysis from DeloitteCONTENT FROM OUR SPONSORPlease note: The Wall Street Journal News Department was not involved in the creation of the content below.

Text Size

Regular

Medium

Large

Google+

Print

Managing IT Risks in Life Sciences

Sluggish sales and increasing costs are compelling many life sciences companies to focus on expense control. Yet, aggressive cost containment may compromise life sciences companies’ ability to address proliferating IT risks.

The pulse of the life sciences industry is quickening as medical device manufacturers, pharmaceutical, and biotech companies race to address the twin challenges of rising costs and waning top line revenue growth.

The prevalence of generic drugs has cut into traditional pharmaceutical companies’ sales and profit margins, causing many to seek innovative and inexpensive ways to produce new drugs. Meanwhile, regulatory requirements mandating longer, larger, and more diverse clinical trials have added to R&D costs. The cost of bringing a novel drug to market is now estimated at $1.3 billion.¹

Weak revenue growth, coupled with rising expenditures, has forced many life sciences companies to aggressively control costs in an effort to preserve shareholder value. Yet the relentless focus on cost containment puts pressure on life sciences companies’ risk management initiatives when IT risks such as data loss and damage are mounting across the industry.

“Many of the strategies life sciences companies are pursuing to drive growth and develop new drugs—including mergers, increased use of third parties, and expansion into emerging markets—introduce IT risks,” says Bruce Murphy, a principal with Deloitte & Touche LLP. “Life sciences companies that fail to effectively manage these risks may increase their exposure to data breaches, loss of intellectual property or sensitive customer data, regulatory fines, or legal fees tallying into the millions.”

Notably, companies across industries can learn from the challenges facing the life sciences sector as they employ similar business strategies and deal with similar risks. Here’s a look at three common strategies, their associated IT risks, and potential ways to mitigate them:

Mergers and Acquisitions

Several life sciences companies have pursued M&A activity to grow their businesses in recent years. In 2011, Japanese pharma company Daiichi Sankyo acquired Plexxikon Inc., which specializes in drug discovery and early development, for $805 million. The same year, cancer treatment developer SuperGen acquired biotech firm Astex Therapeutics for $25 million in cash and 32.4 million shares of SuperGen common stock, and Salix Pharmaceuticals acquired Oceana Therapeutics, a provider of gastroenterology and urology treatments, for $300 million. While M&A provides companies with opportunities to capture market share, expand product portfolios, and gain efficiencies, among other objectives, those results may go unfulfilled if IT risks are not addressed.

Associated IT Risks: One significant IT risk related to M&A is business disruption stemming from poor integration of enterprise systems, according to Muhammad Kashif, a manager with Deloitte & Touche LLP.

“When a company decides to pull the plug on one ERP system and shift the newly acquired or merged company to another, that transition needs to be seamless,” he says. “If outages occur, orders may be lost and revenues may go unrecognized, leading to accounting errors that can rankle customers and affect financial results.”

Another risk is data loss. Kashif notes that layoffs frequently take place during mergers and acquisitions, and with restructuring comes the risk of disgruntled former employees stealing intellectual property or selling it to competitors.

Potential Mitigation Techniques: Some companies are implementing data loss prevention (DLP) technologies that allow them to track data as it moves through their systems, according to Kashif. He says companies can program DLP systems with a set of rules to track the movement of data and scan their networks in search of unauthorized or duplicate repositories that may reside, for example, on employees’ PCs.

To address IT risks associated with post-merger systems integration, Kashif recommends rationalizing systems in both companies, identifying which systems should be maintained independently, merged with existing systems, or sunset post-merger, and establish a plan for integrating or retiring those applications. Organizations that put more planning into such exercises lessen their chances of experiencing IT integration issues post-merger, he says. IT security assessments of each companies’ ongoing IT integration efforts can also help identify high-risk areas that may lead to outages.

Use of Third Parties

Life sciences companies are increasingly turning to third parties, whether it is IT services firms to maintain their application portfolios at a lower cost or contract research organizations to perform specific R&D activities on their behalf.

Associated IT Risks: Like M&A, use of third parties presents potential for data loss. Using third parties also increases the potential for data manipulation. As data moves from one organization to its third-party provider (and potentially, to the third party’s services providers), Murphy notes that considerable stress is placed on information integrity. The many people handling data and the multiple connection points between organizations’ systems present opportunities for error and manipulation.

“If, for example, the integrity of clinical trial data gets compromised, the whole clinical trial process can be called into question, resulting in delayed or denied FDA approvals that can cost companies millions of dollars,” says Murphy.

Potential Mitigation Techniques: Life sciences companies can take several steps to address IT risks associated with using third parties. First, they need visibility into their third parties’ use of service providers and the extent to which their data gets transferred to downstream partners, according to Murphy. He suggests life sciences companies map the origination, movement, proliferation, and evolution of data through their own internal systems and to external vendors’ and their partners’ systems.

In tandem with the above efforts, Murphy recommends they classify data based on its significance to the business or regulatory requirements, and implement controls, such as encryption, obfuscation (sanitizing or de-identifying data), or DLP systems, to protect information based on its importance. Life sciences companies may then require their third parties to adopt their controls for safeguarding data.

Many life sciences companies have set their sights on emerging markets to drive growth. In some countries, the market for drugs and medical products is expected to grow at double digit rates through 2015, compared with single digit rates in the U.S., according to proprietary Deloitte Consulting LLP research.

But emerging markets are not only a growth engine, they also present life sciences companies with opportunities to leverage their less expensive cost structures to develop new products. Governments in some emerging markets offer financial incentives to attract overseas companies’ manufacturing and research facilities.

Associated IT Risks: The control environment and cultural attitudes toward compliance and security may be less mature in emerging markets than U.S.-based life sciences companies demand. In some cases, these markets lack strong intellectual property, patent protection, and data security laws, heightening life sciences companies’ risk for breaches, IP theft, and regulatory fines.

Some companies are moving so quickly to expand their operations in emerging markets that they’re neglecting to involve IT in their expansion efforts, notes Murphy.

“Inconsistent or insufficient communication between IT and business operations may result in IT strategies that aren’t fully capable of supporting the business’s anticipated growth in a new market, fragmented IT infrastructures inside local geographies, or inefficient capital spending,” he says.

Potential Mitigation Techniques: Murphy urges business executives to include IT in discussions about overseas expansion. To address data loss and theft and button up compliance programs, he recommends companies undertake risk-based prioritization of data and data mapping exercises. He also recommends obfuscation, encryption, and using DLP systems.

“As organizations look to emerging markets to support and, in some cases, drive their business strategy, they need to confirm those efforts don’t erode their risk posture,” says Murphy. “IT risk will be an increasingly important area for life sciences companies to manage, and the trick will be balancing costs with business opportunities.”

About Deloitte Insights

Deloitte Insights for CIOs couples broad business insights with deep technical knowledge to help executives drive business and technology strategy, support business transformation, and enhance growth and productivity. Through fact-based research, technology perspectives and analyses, case studies and more, Deloitte Insights for CIOs informs the essential conversations in global, technology-led organizations. Learn more.

This copy is for your personal, non-commercial use only. Distribution and use of this material are governed by our Subscriber Agreement and by copyright law. For non-personal use or to order multiple copies, please contact Dow Jones Reprints at 1-800-843-0008 or visit www.djreprints.com.